With all the reports in these forums of accounts being TRIBBLE, I decided it would be a good time to change my account password. There are some major problems here - and it is no wonder accounts are being TRIBBLE. Here is what I had to do....
Starting at the STO forum main page at
http://sto-forum.perfectworld.com/
I click the link for "My Account" at the top. This takes me to the page:
https://my.perfectworld.com/sto/?going_to=/account/sto
This is a secure login page - https. Once logged in, the link to change the password is prominently displayed. Clicking that, I could enter my old password and a new password. I was then informed a verification email was sent to my address. I waited and waited and waited............. I never got an email. I tried over the course of several days and multiple attempts and never got a verification email (and yes - the right email address was labeled). So this password change attempt failed.
So trying something different, starting again at the STO forum main page, I pressed the "Support" link at the top. This took me to the page:
https://support.perfectworld.com/
At the top of this page, I pressed the "My Account" link which took me to the page:
http://www.perfectworld.com/login
Upon logging in, I went through the same process to change my password as before ... and it worked the first time.
So great right? No! Notice that last login link - it is "http". This means that any information sent to the login page is unencrypted. This means that in order for me to successfully change my password, I had to broadcast my login name and password in plaintext to the internet.
No wonder accounts are being TRIBBLE..... Bad Bad Cryptic :mad:
Comments
Spam filters - check. Right email - check. In this process of changing my password, I read your posts - I waited for an hour on multiple occasions over the course of several days. If it were a problem on my end, it is unlikely I would have gotten the mail from either method. Even if I am wrong about that, having an unencrypted login page is unacceptable.
CRUISERS NEED A 206% HULL BUFF
Come on folks, at least TRY to think logically.
PWE's security problems are a liability for Cryptic's security. Cryptic should be concerned.
But it's not as bad as you think though, for someone to see your content (messages, username, passwords, anything sent/received, etc) they would have to be physically in-line with you and the host, PWE/Cryptic in this case. Because the network switches and routers (even modern home wireless routers) do not broadcast the data to all the nodes on a network - the data is routed directly to the host you are communicating with.
Most likely either people are sharing their passwords or key-loggers are installed on their systems. Besides a properly configured and implemented two-factor authentication system, unique passwords for all accounts and up-to-date antivirus software that is capable of detecting keyloggers, there is no technological solution that can prevent a password being used if it is willingly given (edit: or leaked) to someone else.
Along with the recommendations from PWE/Cryptic has given...
DO NOT share your passwords with ANYONE.
Use strong passwords - long, uncommon words with symbols and numbers.
Use DIFFERENT PASSWORDS for each of your accounts - yes it's a pain but it's a must - Try LastPass.com to make manage your passwords that are strong and unique.
Use antivirus software capable of detecting keyloggers and make sure it is UP TO DATE.
To reduce opportunities of getting malware (worms, viruses and keyloggers) on your gaming rig, try either using a different computer or setup dual-booting your system to have a "general use operating system" and a "gaming operating system". This would help keep your "gaming " setup cleaner for better optimized game play. (edit: ...and only use the "gaming" operating system to game and not browse, etc.)
SCE ADVISORY NOTICE: Improper Impulse Engine maintenance can result in REAR THRUSTER LEAKAGE. ALWAYS have your work inspected by another qualified officer.
Step 2 - download HTTPS Everywhere and HTTPS Finder.
Step 3 - ????
Step 4 - Profit.
Get Ghostery while you're at it if you've not already, same goes for NoScript and Flashblock.
We are PWE. Your forums and game accounts will be added to our own. Your community will adapt to service us. Resistance is futile.
And since the connection dosen't use SSL... well..
Don't use the same password from your other stuff.
so don't
even if they have your info they shouldnt be able to get on the account.
looks like someones getting fired
The way it's set up right now renders the account guard completely useless, it just gets in the way for the players.
lol when there should only be one.
A lot of people tend to use the same password everywhere. So if you send your password to this website in plain text (when quoting this post I was sent the unsecure login page), and someone obtains that all they need to do follows:
1. Login to your PWE/Cryptic account
2. Check for the email used for the account
3. Now they have your email address and compromised password - so they login to your email and either take it over, or simply use the confirmation emails sent to that email account.
4. They change your PWE/Cryptic account settings and validate it with your now TRIBBLE email.
Account guard won't protect you here, and it would entirely be PWE/Cryptic's fault for not having an encrypted login page. Not a lot you can do except have different passwords for PWE/Cryptic and your email.
The reason accounts get TRIBBLE is the player shares their information either voluntarily or involuntarily and in most cases it is the players fault. Every time I've bumped into account guard it's been just a quick enter code and bam done. It's also always come through to my e-mail address just fine. Unless you're using a very obscure e-mail provider or have previously marked things from PWE as spam then it should get through to you. Once again, it's you that is the weak link not Cryptic.
The people who get TRIBBLE are targets of opportunity, they're not being TRIBBLE for valuable items, they're not being targeted specifically, they just have poorly protected accounts/computers. Should the PWE site be secure? Yes, but you shouldn't have any need to use it anyway.
Also OP, you're smart enough to notice it was an unsecured site you were changing your password on and did it anyway? Bad bad computer wizz.
It is through repetition that we learn our weakness.
A master with a stone is better than a novice with a sword.
Has damage got out of control?
This is the last thing I will post.
I'm sorry but it's not PWE/Cryptics fault if your other stuff gets TRIBBLE in that instance. It is your fault for making all your passwords the same. You wouldn't use the same key for 10 different houses would you?
It is through repetition that we learn our weakness.
A master with a stone is better than a novice with a sword.
Has damage got out of control?
This is the last thing I will post.
Your password is not "broadcast" to the Internet, the communication is between you and the perfectworld.com web server. The only people that can intercept this traffic are those that share your network connection within your house*, those that share your network connection with your ISP**, and any entities that may be tapped into the ISP or any of the WAN links along the route between it and perfectworld.com; e.g. NSA and DHS. This is why plaintext authentication is insecure.
* This is especially an issue if your PC is using wireless. WiFi traffic is easy to sniff by anyone in proximity to your access point. Multiply the risk if you live in something like an apartment where everyone is close together.
** It's bad if you're on Cable, since you share your bandwidth with everyone else on Cable in your neighborhood. (This is not an issue with DSL since your connection is point-to-point.)
actually it is, there responsible for account safety and security...
if no one feels safe.. well dont really need to go into details on that.
and its more like having a safety deposit box in someone else's building,
using the same key for other safety deposit boxes.
Account guard does not guard your account.
It doesn't ask for confirmation from the old email address to change to a new one.
It gives you 10 seconds at most, while they verify the new address and boom, it's theirs.
It takes more than this to start being secure.
More directly to what is mentioned, HTTPS Finder and HTTPS Everywhere do not help if SSL (HTTPS addresses) are not being offered by the site.
SCE ADVISORY NOTICE: Improper Impulse Engine maintenance can result in REAR THRUSTER LEAKAGE. ALWAYS have your work inspected by another qualified officer.
While I agree with you... in theory... that the vast majority of account hacks are a PEBCAK issue, that in no way, shape, or form excuses Cryptic in this. There is ZERO excuse for ever having an unsecured login. The blind devotion of some people....
Also the OP having seen it was unsecured then went ahead and used it knowing full well the risk involved. He could have e-mailed support, phoned them or maybe even written a letter (they do take snail mail right?) to resolve this issue but instead chose something he knew wasn't a smart thing to do.
Artisan in the example you provided about safety deposit boxes then PWE/Cryptic are only responsible for keeping the box and within reason contents safe but not restricting access to it.
It is through repetition that we learn our weakness.
A master with a stone is better than a novice with a sword.
Has damage got out of control?
This is the last thing I will post.
Lord knows there have been enough popular articles, news stories, basic-computer-literacy courses, etc, that have been trying to hammer that lesson home over the past 20 years or so; by this point, everyone with a computer should be well aware that using a single password for everything is about as secure as fastening all your windows shut, but leaving your doors unlocked.
Sorry, but if you get multiple accounts TRIBBLE because you used the same p/w over and over, my sympathies, while not nonexistent, are limited.
Yup - that is the point. The only working option for me to change my password is to login through an unsecure page. Given that it is both prudent and recommended in light of the current apparent account takeovers, I have no choice.
Email, phone, or snail mail ...... the problem isn't me. I am using a PWE/Cryptic SUPPORTED AND SUPPLIED method to change my password - the supported and supplied method is insecure. Period.
Of course it is an incredibly bad practice to use the same password. It doesn't negate PWE/Cryptic's responsibility to protect account/user information entered into their website. And yes - it is a responsibility because real life money paid to them for use of services/items by an account holder might be stolen by a poorly secured login page. Given that they have other pages that are secured, it is inexcusable to have one that isn't.